Beedle - Oracle free perpetual lending

Summary

The provided Solidity contract is susceptible to a potential issue that may lead to the overestimation of claimable rewards for users. The miscalculation of earned rewards can occur due to inaccuracies in updating the global index and user-specific indexes, resulting in users being able to claim more rewards than they have legitimately earned.

Vulnerability Details

The updateFor function is responsible for updating the earned rewards for a user. It calculates the difference (_delta) between the current global index (index) and the user's last recorded index (_supplyIndex). The calculation of _delta is then used to determine the earned rewards (_share) for the user, based on their staked balance (_supplied). Here's the relevant code snippet:

The vulnerability arises if there are any errors or inconsistencies in updating the global index (index) or the user's last recorded index (_supplyIndex). If these indexes are not accurately updated, it may lead to an incorrect _delta value. Consequently, the _share calculated and added to claimable[recipient] will be larger than the actual earned rewards.

Impact

The overestimation of claimable rewards can result in users being able to claim more rewards than they have legitimately earned based on their staked balances. This may lead to an imbalance in the reward distribution, potentially resulting in users receiving a higher amount of rewards than they should have received, and could impact the fairness and integrity of the staking mechanism.

Tools Used

Manual

Recommendations

To address this potential issue, it is crucial to ensure the correctness and accuracy of the index and _supplyIndex updates in the updateFor function. Regularly updating the global index (index) and verifying its accuracy can help maintain the integrity of the reward distribution mechanism.